HashiCorp Vault Policy Metrics

I gave a talk for HashiCorp’s HashiDays event earlier this year that centered around operational intelligence for HashiCorp Vault. The focus was on harnessing data and turning it into actionable insight to help drive informed decisions. One common insight that’s often required but not natively available for various reasons is a mechanism to identify what identities a policy is assigned to within Vault.

While it has some limitations one way to mine such data from Vault is through scripting via the REST API. I was actually able to accomplish this using a python script that can be found at the following URL.

The ultimate goal of the script is to generate metrics that could be used to help determine what level of access an identity has within Vault. It could also be used when looking to eliminate policy sprawl within a Vault cluster.